Weekly podcast: Bad Rabbit, Kaspersky Lab and the Data Protection Bill

This week, we discuss a new strain of ransomware, Kaspersky’s new ‘comprehensive transparency initiative’, and the latest Data Protection Bill news.

Hello and welcome to the IT Governance podcast for Friday, 27 October 2017. Here are this week’s stories.

A new strain of ransomware appeared on Tuesday, fuelling fears of another NotPetya or WannaCry-scale epidemic as it spread through Russia, Ukraine, Turkey and Germany, hitting Russian media organisation Interfax, the Kiev metro and Odessa airport among others.

Bad Rabbit, as this one’s been named, spreads via drive-by downloads from legitimate websites that have been compromised. There’s no exploit involved, so victims have to manually execute the malware dropper, which looks like an Adobe Flash installer, themselves.

The malware then encrypts files and demands a 0.05 bitcoin payment – about £215 – for the decryption key. It also attempts to spread across the network using the Mimikatz credential harvesting tool and open Server Message Block (SMB) shares, rather than using the EternalBlue exploit to compromise SMB vulnerabilities as NotPetya and WannaCry did.

According to Kaspersky Lab, which discovered the ransomware, Bad Rabbit seems to have been created by Game of Thrones fans, as its code features several references to the series, including the names of dragons and the character Gray Worm. The attack only lasted a few hours before the attack infrastructure was taken offline – although there is, of course, no indication that it won’t start up again.

Talking of Kaspersky Lab, the Russian cybersecurity firm has announced a ‘comprehensive transparency initiative’ to try to regain trust following allegations about the Russian government’s use of its products to spy on American users and the US government’s subsequent decision to outlaw the use of Kaspersky Lab products in federal departments and agencies.

The company also published a blog this week, which seeks to explain how it got hold of NSA Equation Group exploits in late 2014 – not 2015, as the Wall Street Journal reported. How that information then reached the Kremlin is not discussed, but Eugene Kaspersky himself responded to the allegations in a personal blog and on a YouTube video last week, saying:

“If there was any evidence that we’ve been knowingly involved in cyber-espionage, we’d be toast! No ifs or buts – it’d be game over: governments would take immediate, severe action, including legal moves, and that would be that. But there’s been nothing of the kind. And you have to wonder why.”

The transparency initiative involves an independent source code review starting in Q1 2018, an independent review of internal process to verify the integrity of Kaspersky Lab’s solutions and processes, the founding of three so-called ‘transparency centers’ to allow source code, update code and threat detection rules to be reviewed, and an expanded bug bounty programme, with rewards of up to $100,000 per discovered vulnerability in main Kaspersky Lab products.

Full disclosure time: I, like, I suppose, many others in the industry, received an email from a digital marketing firm on Sunday afternoon saying they’d love me to cover this story, and offering opportunities to ask Eugene Kaspersky anything I wanted. To be perfectly honest I can’t think of anything that won’t already have been asked, nor do I imagine anything particularly useful would come from such an exercise anyway. (“Hello, Mr Kaspersky, are you working for the Russian government?” “Nyet.” “OK. Thank you anyway.”) Still, it’ll be interesting to see how this one plays out.

Finally, the UK’s new Data Protection Bill – which is due to be enacted next May to bring us into line with the EU’s General Data Protection Regulation so that, among other things, we can continue to transfer personal data to and from the EU after Brexit without hindrance – reaches its House of Lords committee stage next week, when the Lords will examine the Bill line by line and vote on amendments. Several groups have taken the opportunity to call for amendments of their own.

Consumer group Which? has called for the Bill to be amended to allow independent bodies to help consumers whose personal data has been compromised get collective redress, an idea backed by 1549 of the 2093 people it surveyed earlier this month.

Alex Neill, Which?’s managing director of home products and services, said: “Data breaches are now more commonplace and yet many people have no idea what to do or who to turn to when their personal data is compromised. The Government should use the Data Protection Bill to give independent bodies the power to seek collective redress on behalf of consumers when a company has failed to take sufficient action following a data breach.”

Meanwhile, civil rights group Liberty, the Joint Council for the Welfare of Immigrants and the Race Equality Foundation have criticised the Bill’s proposed exemption to privacy rights for immigration investigations.

Martha Spurrier, the director of Libery, called the Bill “a shameless attempt to subordinate migrants’ fundamental privacy and data protection rights to immigration control” and a “nakedly racist provision”.

Satbir Singh, the chief executive of the Joint Council for the Welfare of Immigrants, asked: “Why should migrants be denied the right to have their information processed lawfully, fairly and transparently?”

And Jabeer Butt, the chief executive of the Race Equality Foundation, said: “the proposals in the Data Protection Bill will undermine trust in public services by removing privacy protections and turning more public sector workers into immigration officers.”

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.